Package: apache2 Version: 2.4.10-10+deb8u4 Severity: important CAs, browser vendors and other software developers are actively disabling SHA-1 support and shifting to the SHA-2 (SHA-256) digest algorithm.
How will Apache web server deal with this? If not following upstream, how will it be done in the Debian packages? For example, will Apache refuse to run with an SHA-1 server certificate? Will it refuse to validate SHA-1 client certificates that were accepted previously? Will SHA-1 support simply be disabled by default but people can get it back through a trivial configuration change? Or will people need to recompile if they still need to support any SHA1 certificates? Will SHA-1 be deprecated in any security fix release to jessie and wheezy, or it will only disappear as part of the stretch release cycle? Could the Apache maintainers please add some comments about it on the wiki? https://wiki.debian.org/SHA-1 One aspect of this problem is that there are many hardware devices out there with built-in client certificates using the SHA-1 digest. When these devices make connections to an Apache server using client TLS (mutual TLS) authentication, they won't be able to send an SHA-256 certificate and they may not be able to verify an SHA-256 certificate on the server side. People with hardware like that probably need to start planning their migration now if there will be no backwards-compatible support for them. This has also been discussed on debian-security https://lists.debian.org/debian-security/2016/05/msg00039.html